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Abstract. In this paper we propose a general definition of secrecy for 
cryptographic protocols in the Dolev-Yao model. We give a sufficient con- 
dition ensuring secrecy for protocols where rules have encryption depth 
at most two, that is satisfied by almost all practical protocols. The only 
allowed primitives in the class of protocols we consider are pairing and 
encryption with atomic keys. Moreover, we describe an algorithm of prac- 
tical interest which transforms a cryptographic protocol into a secure one 
from the point of view of secrecy, without changing its original goal with 
respect to secrecy of nonces and keys, provided the protocol satisfies some 
conditions. These conditions are not very restrictive and are satisfied for 
most practical protocols. 
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1 Introduction 

Cryptographic protocols are used to ensure secure communications between two 
or more parties in a distributed system. Among the requirements that crypto- 
graphic protocols must satisfy are the well-known authentication and secrecy or 
confidentiality. 

Security protocol design and verification is a very hard problem. Sources of 
difficulty arc numerous and of different types. The seminal paper for developing 
a model was proposed by D. Dolev and A.C. Yao. |DY83| . In recent years a lot of 
methods have been proposed for reasoning about cryptographic protocols. Some 
of them are based on the trac e model |Pau98IJG02| including models with an ex- 
plicit state-transition system |CDL + 99) or Horn clauses |Bla01ICCM01| . Another 
type of model uses processes to represent cryptographic protocols [AGOO S ch97j . 

Concerning secrecy there are basically two approaches, the first one reduces 
the secrecy property to a reachability problem, the second one defines secrecy in 
terms of an observability equivalence. 

Most of the papers are devoted to decidability and undccidability results 
depending on various hypothesis related to the boundedness of nonces and ses- 
sions, the used cryptographic primitives and so on. See for example DLMS04J 
for a review of these results. Surprisingly, there are very few results that give 



some rules to apply in order to guarantee the secrecy property. This question has 
already been answered in the case of cryptographic protocols using symmetric 
keys in |Bea04j . which gives a sufficient condition for solving this problem. Here 
we consider a more general class of cryptographic protocols using both symmet- 
ric and asymmetric keys. We give a new sufficient condition adapted to this type 
of protocols and we describe an algorithm of practical interest. It transforms a 
cryptographic protocol (satisfying a condition which is not very restrictive) into 
a secure one from the point of view of secrecy, without changing its original goal 
with respect to secrecy of nonces and keys. 

In Section 2 we describe the model. Section 3 gives the sufficient condition for a 
secure protocol w.r.t secrecy, Section 4 is devoted to the algorithm which trans- 
forms a cryptographic protocol into a secure one w.r.t secrecy. The last section 
concludes. 

Related work As mentioned before, the security literature concentrates more 
on the verification of cryptographic protocols comparing to the synthesis of cor- 
rect protocols. In [AN96j . some prudent principles for designing protocols are 
given but do not guarantee the success. Several of these principles are present in 
our definition of well composed protocol. A sufficient condition based on typing 
is presented in |Aba99j but it concerns only symmetric keys and a binary view 
of secrecy according to which the world is divided into system and attacker. 
Our sufficient condition can be considered as a generalization of the sufficient 
condition given in |Low95j . Indeed, the protocols which arc considered in this 
paper do not admit forwarding, which is an important restriction. At last, to our 
knowledge, there is no paper which describes an algorithm which transforms a 
protocol into a secure one w.r.t. secrecy and preserves its original goal. 

2 The model 

In this section we formalize the model we use and we specify the assumptions 
we make about protocols commonly referred to as the "Dolev-Yao model" . Our 
approach is largely inspired by |Low99| . The only primitives used are pairing 
and encryption. We assume that pairing is associative, which corresponds to 
practical protocols, so the algebra of terms is the quotient of a free algebra with 
equations for associativity. 

We are interested in the behavior of the protocol when the number of agents, 
nonces and sessions is unbounded. Moreover the hypothesis on the power of 
honest agents is as weak as possible. The knowledge of an agent is local, it does 
not have a global memory of all its sessions. On the contrary the power of the 
intruder is maximal. 

2.1 Messages 

Atomic values The set Value is a set of disjoint types Agent, Nonce, Key, 
Cypher. Agent, Nonce, Key arc sets of atomic values. Cypher is the set of 



values obtained by encryption. The set Agent is the set of all agent identi- 
ties. It is partitioned into two subsets, honest agents and intruders: Agent = 
Honest U Dishonest. W.l.o.g. one supposes that the set Dishonest contains a 
unique intruder X. Agents variables, named A, B, belong to the set AgVar. 
Nonce is an infinite set of integers. Nonce variables named N, Na, Nb, ... , belong 
to the set NVar. 

The set Key is divided into two disjoint subsets ShKey and LKey. 

- ShKey is the set of short term keys. Its elements correspond to symmetric keys 
used only for the current session. 

- LKey is the set of long term keys. It is a disjoint union of SymKey the set of 
symmetric keys and AsymKey the set of asymmetric keys. 

The set AsymKey is a disjoint union of two subsets PubKey (public keys) and 
PrivKey (private keys). 

Short term key variables named JC, K.', ... belong to the set KVar. 
Let A, B be two agent variables. We denote respectively by fC pr i V (A), K, pu b(A), 
IC(A, B), the long term private encryption key of A, the long term public encryp- 
tion key of A, the long term symmetric key shared by agents A and B. Notice 
that in this notation K. pr i V (A), lC pu t,(A) are both encryption keys, and IC pu b(A) 
is NOT the inverse key of K. pr i V (A) and vice- versa. 

Symbolic terms. Symbolic terms are constructed using pairing and encryp- 
tion. 

The pairing of terms X and y is the term < X,y >, the encryption of term X 

using the key K, is {A"}^, C is a set of constants. 

The grammar used to generate symbolic terms is : 

key ::= C | KVar \ K pu b{AgVar) | IC pr i V (AgVar) | K,(AgVar, AgVar) 

symbderm ::= NVar \ AgVar | key |< symbderm, symbderm >| {symbderm} key 

The pairing is associative, or cquivalcntly for each n we have a primitive for 

n-pairing. We will consider only terms which are in a "canonical form". For 

example the canonical form of terms < t\ , < ti , t^ > > and < < t\ , ti >,t3 > 

is < ti,t2,t3 >, it means that < ti_,< t2,t% >> and < <i,t2,^3 > must be 

considered as triples and not pairs. 

The set of subtcrms of a term r is denoted Sub(r) . 

Concrete terms. Concrete terms are generated following the same grammar 
as for symbolic terms, except that variables in NVar, KVar, AgVar are replaced 
by the values of the corresponding type. 

Key ::= ShKey | IC pu b(Agent) \ K, pr i V (Agent) \ IC( Agent, Agent) 

conc-term ::= Nonce \ Agent \ Key \< concderm, concderm >| {cone derm} Key 

Synthesis and Analysis. In this subsection, 'term' means 'symbolic term'. 
The synthesis procedure represents terms the agents can build. The analysis 
procedure represents terms the agents can learn. 



Let T be a set of terms and A be an agent variable. The set Synth a(T) is 
the least set of terms containing T and satisfying: 

— ti, t p G SynthA(T) =>< n, t p >G SynthA(T) (An agent can compose 
the terms he knows). 

— Vr e Synth A (T),VB G AgVar 

• { t }k{A,b) £ SynthA(T) (An agent can encrypt with a symmetric key 
he shares with another agent) 

• { T }ic P riv(A) £ Synth a(T) (An agent can encrypt with his own private 
key). 

• { T }fC ub(B) £ Synth a(1~) (An agent can encrypt with the public key of 
any agent). 

— We Synth a{T) and for all short term key variable K, £ T, {t]x € 
Synth a{T) (An agent can encrypt with all encrypting short term key he 
knows) . 

Let A be an agent variable. Let T and T' be two sets of terms. 
We have TAnalA^' if one of the following properties holds: 

— < n,...,r p >G T,p > 1 and T = (T\{< n,...,r p >}) U {n} U ... U {r p } 
(An agent can decompose terms). 

— { t }k; £ 2", K G T is a symmetric session key variable, and T = (T\ {t}^) U 
{t} (An agent can decrypt terms encrypted with a short term session key 
he knows). 

— {t}k(A.b) eT,B <eT and T = (T\{t} K (a,b))U{t} (An agent can decrypt 
terms encrypted with a key shared with an agent he knows.) 

_ { T }ic pub (A) S T and T' = (T\{t} Kpii6(a) )U{t} (An agent can decrypt terms 
encrypted with his own public key). 

— {r})C priv (B) eT, B eT and T = (T \ {r} Kpi .„, (i3) ) U {r} (An agent can 
decrypt terms encrypted with the private key of an agent he knows). 

A set of terms T is told undecompo sable if there does not exist any set of 
term T' such that T AnalAT' (An agent cannot decompose any more term). 
It is easy to prove that for any set of terms T, there exists a unique undecom- 
posable set of terms T 1 such that T Anal* A T' . This set is denoted Anal* A {T). 

For a term r 6 Anal* A {T) we define the number of steps necessary for A to 
learn r from T as the number of decryption operations that A must use before 
obtaining t, more precisely : 

— A learns r from T in step iff some term < ...,r, ... > is in T ( we admit 
here a composition of a single element r). (No decryption necessary). 

— if A learns {< r, ... >}/c from T in at most p steps and K, is a short session 
symmetric key learnt by A from T in at most q steps, then r is learnt by A 
from T in at most p + q + 1 steps. 

— if A learns {< ...,r, ... >}k.(a,b) from T in at most p steps and B is learnt 
by A from T in at most q steps, then r is learnt by A from T in at most 
p + q + 1 steps. 



— if A learns {< ...,t, ... >}ic ub (A) from T in at most p steps then r is learnt 
by A from T in at most p + 1 steps. 

— if A learns {< r, ... >}x; ri „(s) from T in at most p steps and B is learnt 
by A from T in at most q steps, then r is learnt by A from T in at most 
p + q + 1 steps. 

For r, t' € Anal* A {T) we define that A learns t from T before r' if A learns r 
in p steps, r' in p' steps and p < p' . 

Now, given a concrete agent a, we can define in the same way a relation Anal a on 
finite sets of concrete terms as well as the other notions defined above, replacing 
agents, and keys variables by values of the corresponding type. 



Message ( Component, Protocol) -Template A component template is 
either a variable or an encrypted term. A message template or t-message is 
a tuple of the form (A, B, t) where A and B are distinct variables of agents 
representing respectively the sender and the receiver and r is a term representing 
the content of the message. 

A concrete message is a tuple (a, 6, m) where a and b are agent values and m is 
a concrete term. It corresponds to the informal usual notation A — > B : m. 
A protocol template or simply protocol is a sequence of message templates. 
A role in a protocol template is an agent variable appearing in this protocol. 
Given a protocol P with a set of roles TZ, a session template SesA for role A G 1Z 
is the subsequence of message templates of P in which role A is sender or receiver. 
Our running example will be the protocol TMN |TMN90j using asymmetric keys. 
Brackets for pairing are omitted as usual. 

Example 1. . 

01-A^S:B,{K a } Kpub(s) 
02 - S B : B,A 
03-B^S:A,{K b } Kpubis) 
M-S^A:B, {K b } Ka 

Sess is the entire protocol. SesA is the sequence: 

A^S:B,{K a } Kvub{s) 

S^A:B, {K b } Ka 



2.2 Realizable protocol template 

An elementary question is whether a protocol is "realizable" , i.e. whether the 
honest agents can execute it. This notion appears in [RS03j as "well-formed" 
protocol. We formalize this notion in our framework and give an algorithm which 
checks whether a protocol is realizable or not. One can observe that as far as 
we are aware of, most of the undecidability proofs [DLMS99 AC02a AC02bJ arc 
based on protocols which are not realizable, which is a weakness of these proofs. 
Only in [CCMOlj the undecidability proof relies on realizable protocols. 
Let P be a protocol, and A be a role of this protocol. Consider the sequence of 



t-messages of the session template SesA- The j t-message of SesA is of form 
(A, Bj,Tj) or (Bj, A, Tj) depending on A is sender or receiver of the message. 
We define Kuaj as the knowledge of role A after execution of message number 
j. That is to say as the set of terms known by A after the execution of the first 
j t-messages of his session and that A can no more decompose. 
This knowledge can be decomposed into two subsets: 

— The basic knowledge of A at step j, BasKnA.j, which contains agent, nonce 
and key variables. 

— The cryptographic knowledge of A at step j, Cr KnA.j, which contains the 
encrypted terms known by A at step j and he cannot decrypt. 

Notice that Khaj contains only terms which are component templates. 

From the definition of synthesis, we can define Synth a(Khaj) as the set of 

terms that A can build from his knowledge at step j. 

Let us define by induction on j the set KnA.j and the fact that the j first 
messages of SesA are realizable. 

The initial knowledge of A, Kua,o is fixed by the protocol. 

We need to introduce the notion of new variables appearing in a t-message of 

protocol P. Let {A p , B p , t p ) be the p th t-message of P. The set of new variables 

of this t-message denoted NewVar p is defined recursively: 

NewVari = Subfa) n (AgVar U NVar U KVar). 

NewVar p = Sub(T p )n{AgVarUNVarl)KVar)\(NewVar 1 U...UNewVar p -i) 
for p> 1. 

Let j > and suppose that the first (j — 1) messages are realizable by A and 
KnA.j-i is defined, then: 

— If in message number j, A is receiver, this message can be realized by A since 
A is passive in this action. 

— If message number j is of the form (A, Bj ,Tj), this message can be realized 
by A if and only if: Tj G SynthA(KriA,j-i U NewVar Pj ) where pj is the 
index of the message (A, Bj, Tj) in P. 

In both cases, we have : KnA.j = {Bj} U Anal A ({rj} U KriA,j-i)- 
A session template SesA is realizable if all its t-mcssages in this session are re- 
alizable by role A. 

A protocol is realizable if all the session templates of all roles of the protocol are 
realizable. Clearly, the above procedure is effective so one can decide whether a 
protocol is realizable. 

For example on the TMN protocol with public key of the server, the evolution 
of the knowledge for each role is : 

By now, we will consider only realizable protocols. 

2.3 States. Transitions 

We formulate now the semantics of a protocol as an infinite transition system 
where a state contains the set of current partial sessions of agents (it is actually 
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a multiset because the same agent may have several "identical" partial sessions 
at the same time) and a transition corresponds to a send or a receive event. As in 
|Low95| we assume that every message is intercepted by the intruder, so w.l.o.g. 
one consider that every sent message is sent to the intruder, and every received 
message is received from the intruder, so we have two types of events the send 
and receive ones. 

States A valuation v of a set of component template T is a function that 
associates to each term t S T a concrete term f = v(r), the value of which is 
in Value (i.e. to each component template is associated its value). We consider 
here constants as variables for which the valuation is fixed. 
Let {Tj)j=i....,k be the list of contents of the t-messages of the session of a role A 
for a protocol P. Let Vj be a valuation for Kuaj- We denote Tj[vj] the concrete 
term we obtain when substituting in term tj to each maximal subterm r' which 
is in Kuaj the value Vj(r'). One can remark that Tj is built in a unique way 
from its maximal subterms which are in Kuaj- 

A partial session (or simply session) a is determined by its length I, a role A 
and a valuation vi(A) for the knowledge Kua,i- The role of session a will be 
denoted R a . The role A, the length I and the valuation vi permit to define the 
list of the I first messages received by the agent playing this role in this session. 
It is the list of concrete messages (tj [v])j=i,..., p <k, where is the list 

of the t-messages of the session of role A. 
A state is a multiset of partial sessions like in [CDL+99] . 

Transitions The formalization of the evolution of the state of the system via 
receive or send events is the most delicate part of the modeling. An admissible 
state is a state reachable from the initial state using transitions labeled by the 
following events: 

— send event : tuple (a, — (a, 6, m)) where a, b are agents and (a, b,m) is a 
concrete message. It corresponds to the event "agent a sends (intentionally 
to agent 6) the message m and this message is received by the intruder" . 

— receive event : tuple (a, < — , (a, 6, m)) where a, b are agents and (a, b, m) is a 
concrete message. It corresponds to the event "The intruder sends to agent 
b a message m and agent b believes that this message has been sent by agent 
a". 

The knowledge of the intruder denoted IntrKn, is the set of values known by the 
intruder and that he cannot decompose more. It will be described more precisely 



below. 

• Send transitions 

We have a transition from state S to state S' labeled by the send event 

(a, — (a, b, to)), denoted by S V ^ S' if the following conditions are sat- 

isfied: 

1. a, b £ Agent. 

2. There exists in S a partial session a = (A, vi) of length I for which the next 
message is a send event or agent a starts a partial session for a role A in 
which the first message of SesA is a message sent by A. 

3. (a, b, to) = T; + i[wi + i] where is a valuation defined as follows: 

(a) (vi + i I BasKn Ra j) = (vi | BasKn Rtril ) 

(b) vi + i I {BasKn Rtj j + \ \ BasKn Ri7 j) must satisfy the rules 

— The values are of the correct type, i.e. values for nonces, agents 
and short term keys belong to the respective sets respectively Nonce, 
Agent, Key. 

— The valuation is injective on the set of nonces and the set of keys, 
and values are "fresh", i.e., if X is a variable for a nonce (resp. a 
key) belonging to BasKn Rtr i + i \BasKn Ra ^i, then vi+i(X) is not in 
the set of valuations of nonce variables (resp. key variables) for all 
the partial sessions of state S. 

— CrKn Ra j +1 = CrKn Rcri i and for coherence (uj+i | CrKn Rtrt i + ±) = 
(vi I CrKn Ra j +1 ). 

4. S' is the state we obtain when replacing one exemplary of session a = 
(I, A, vi) by a' = (I + 1, A, wj+i). (It corresponds to increasing the list of con- 
crete messages of the partial session a with the concrete message (a, b, m)). 

The knowledge of the intruder X at state S' is : 
IntrKns' = Analj(IntrKns U {(a, b, to)}) 

• Receive transitions 

We consider here only the receive events where the message is accepted by the 
receiver. 

We have a transition from state S to state 5" labeled by the receive event 
(a,*— ,(a,b, to)), denoted by S ' a ' li^v" 1 ^ 5" jf following conditions arc 
satisfied: 

1. a, b £ Agent. 

2. There exists in S a partial session a = (l,A,vi) for which the next message 
is a receive event, or (case I = 0) agent a starts a partial session for a role A 
in which the first message of SesA is a message received by A. 

3. (b, a, to) = r; + i[wi + i] where vi+\ is a valuation defined as follows: 

(a) vi + i I BasKn RtT j = v t \ BasKn Ra ^ 

(b) vi+i I (BasKn R<j _i + \ \ BasKn Ra {) must satisfy the rules 

— values belong to the set Synthj(S) defined above. 

— values of agent variables belong to Agent. 

(c) v t+1 I (CrKn R ^i + i C\CrKn Rcj j) = vi \ (CrKn Rtrt i +1 nCrKn Ra j). 



(d) vi+i | (CrKnR a> i^-i \CrKnR crt i) has values in Synthj(S). 
4. S' is the state we obtain when replacing an exemplary of partial session a 
with a' = (I + 1, A, Ui+i). (It corresponds to increasing the list of concrete 
messages of the partial session a with the concrete message (6, a, m). 

The knowledge of the intruder T at state 5" is : 

IntrKn S ' = Analj(IntrKns U {m}) 
The set Synthj(S) is the set of concrete terms that the intruder can build at 
state S. It is the least set containing IntrKns and satisfying: 

— ti,...,t p G Synthx(S) =^< ti,...,t p >£ Synthx(S). 

— Agent C Synthx(S). 

— For every agent a, the long term key /C(a,I) is in Synthj(S). 

— For every agent a, the long term key tC pu b(a) is in Synthj(S). 

— For every term r G Synthx(S) and for every key /C G (IntrKns H Key), 
{r}/c G Synthx(S). 

A trace of a protocol is a sequence So Si — ^> ...S n —i S„ where So is 

the initial state and each Si—i Si is a transition. 

The initial knowledge of the intruder IntrKns is given by the protocol. 

Remark. One can notice that the rules applied by an honest agent in order to 
accept a message correspond to a very weak control of the message. The agent 
makes only equality tests, it has no possibility to control for example the depth 
of encryption, the correct type of values and so on. 

2.4 Secrecy 

In the literature, generally the definitions of secrecy are very dependent on the 
chosen model and restrictive, i.e. sufficient for the hypothesis made by the au- 
thors but not applicable in a more general context. The definition we give here 
seems very general, at least as far as the concern is the secrecy of values and not 
of properties. 

Definition 1. The secret of a variable X for a nonce or a short term key can be 
broken from the point of view of A if there exists a reachable state S containing 
a partial session a of length I for role A with valuation vi for KnA.i such that 

1. BasKn^ i contains X and the set 1Z of roles of the protocol 

2. I does not belong to the valuation vi(JZ) (T does not participate to the partial 
session a from the point of view of A ) 

3. vi(X) G IntrKns- 

As one can observe, the notion of secrecy implies two parameters: a variable 
for which the secret is broken and a role which can claim the fact. We have to 
justify points 1 and 2. Why should the set 1Z be in BasKnA,^ Because as far as 
the agent involved in the partial session a does not know all its partners in this 
session, it cannot claim whether it is correct that the agent I knows the value 



i>i(X). Indeed, if X participates in an honest way to the session it is normal that 
Vi(X) € IntrKns- For the same reason the condition that T does not belong to 
the valuation vi(1Z) is required. An unsolved question is how to define secrecy 
in the case when the set of roles does not belong to the knowledge of each role 
at the end of its partial session. 

There is a well-known attack |LR97) on the protocol TMN of Example 1. An 
intruder I a acts as if it was A: 

01- J a ^S:<6,{^k pub (S) > 

02- S -^b:<a,b> 

03- b^S:<a,{K b } Kpub{s) > 

04- S^Z a :<B,{K b } Ki > 

In this attack, the secret is broken for the variable from the point of view of 
B because the trace given here reaches a state containing a partial session for 
role B satisfying the above three conditions. 

Given a protocol, the variables which can be learnt by an external observer 
of the protocol arc called revealed variables. The others (those which remain 
unacccssiblc to this observer) are called unrevealed variables. 

More precisely, given a protocol P = (Ai, Bi, Mj)j=i fe, a variable X for a nonce 

or a key is revealed in P if X <E Anal}j({Mi, ...,Mk}) for some C not being a 
role of P. The set of revealed variables of a protocol is clearly computable. In an 
obvious way, the secret can be broken for every revealed variable from the point 
of view of every role. Thus, the interesting question is "can the secret be broken 
for an unrevealed variable" . The next section answers to this question by giving 
a sufficient condition which guarantees that the protocol preserves the secrecy 
of unrevealed variables for nonces and short term key variables. 

3 A sufficient condition for secrecy 
3.1 Well-Composed Protocol 

A signature of a protocol is constituted by a nonce variable which is called the 
session nonce and a fixed list of the agent roles < n, A\, A p >. 

Definition 2. A protocol is well composed if : 

1. Encryption is of depth at most two. 

2. Private long term asymmetric and long term symmetric keys are never trans- 
mitted. 

3. There exists a signature S such that 

- the content of every t-message is a term of the form : < S, {S,m}^ riv (A) > 

where A is the sender of the message, 

- every subterm of the protocol which is an encrypted term has the form 

{< S, ... >}ac (it contains the signature on the left inside the encryption). 
4- Two different encrypted terms which are encrypted by the same type of keys 
(public, private, ...) must have a different number of elements. More pre- 
cisely, if {< Ti,...Tfc >}k. and {< T[,...,Tf,i >}tc' are two different subterms 
of a protocol P and K., K! are of the same type, then K ^ JC' . 



Let us comment the four given conditions. Condition (4) helps to prevent the 
intruder from passing off a term {t]x as a term {t'}^ while these terms are in- 
tended to be distinct terms in the specification. Another way to obtain the same 
effect would be to use tagging as it is done in several papers [BP03IH LS00 RS03 . 
In these papers, tagging is used to prove decidability of secrecy for tagged pro- 
tocols, but it is not a sufficient condition for secrecy. Condition (3) is reasonable 
and permits to know at each moment who is supposed to be implied in the ses- 
sion. An attack on TMN protocol is due to the fact that this condition is not 
satisfied. Condition (2) is always recommended |AN96j . At last, condition (1) is 
not essential here. We are convinced that this hypothesis could be relaxed, but 
it would make the proof more complicated. 

The TMN protocol is not well composed. Here is a modified version which is 
well composed: 

Of - A -► S : S, {S, B, {S, K a } Kpub(s) } Kpriv{A) 

02- S^B:S,{S,B,A} Kpriv(s) 

03- B^S:S,{S, A, {S, K b } Kpub(S) } Kpriv(B) 
Oi- S^A:S,{S, B, {S, K b } K J Kpriv(s) 

The attack presented in the previous section fails in this new version because 
the intruder cannot impersonate A at the first step of the attack. 

Theorem 1. A well composed protocol preserves the secrecy of unrevealed vari- 
ables for nonces and short term key variables. 

Before giving the proof of this theorem let us recall the sufficient condition 
given in Bca04j to preserve secrecy in case of symmetric encryption, and show 
with a counter example that this condition is not enough for protocols involving 
asymmetric encryption. This sufficient condition was: 

1. Encryption is of depth one. 

2. Long term keys are never transmitted. 

3. There exists a signature S such that every subterm of the protocol which is 
an encrypted term has the form {< S, ... >}tc (it contains the signature on 
the left inside the encryption). 

Here is a variant of TMN protocol which satisfies this condition. 
Let S =< N,A,B > where N is a nonce. 



<S> B, {S, K a } Kpub ( S ) 
S,B,A 

S, A, {S, K b } Kpub(s) 
S,B,{S,K b } Ka . 

Clearly, an attack similar to the one given before can be repeated. 
The next proposition expresses the fact that a well composed protocol guaran- 
tees some authenticity: if an agent a receives in a partial session where it plays 
role A a message m from another agent b and a thinks that b plays role B and 
that m corresponds to the message number i of the protocol, indeed b has sent 
this message for this purpose. 



01- A^S: 

02 - S -> B : 

03 - B -> S : 

04 - S -> A : 



Proposition 1. Let r be a trace of a well composed protocol. If r contains a 

transition ' » ' ^ S' where S contains a partial session a of length I be- 
longing to an agent a for the role A, and a is replaced in S' by a partial session 
a' of length I + 1 where b has role B , then there is a previous transition in r 

of the form Si -^—> ' ^ S[ where S contains a partial session o\ of length l\ 
belonging to agent b for the role B and o~\ is replaced in S[ by a partial session a[ 
of length l\ + 1 where the message number I + 1 of role A is exactly the message 
number l\ + 1 of role B. 

Proof. If a accepts the message, it means that the message is of the right form, 
namely : (b,a,r) with r =< Si, {si, r'} Kl)riB (6) >■ 

Actually r must be encrypted by K, pr i V (b) since it is supposed to have been sent 
by b. Moreover, a controls that the signature located in the first elements of t is 
the same as the signature contained at the beginning of the encrypted element. 
As a consequence, b is the agent who encrypted r. Due to the last condition of 
the definition of a well composed protocol, a also controls that the number of 
elements in r corresponds to the number of elements awaited by a in this session, 
so necessarily, b built r to send a message number I + 1 for the role A, and this 
role is played by a because a has in the signature the place corresponding to role 
A. 

We now translate in an equivalent form the property of secrecy for a well com- 
posed protocol. Let r be a run with a length I, A" be an unrevealed variable for 
a nonce or a short key, x be a value, T be a time less than or equal to I, and t 
be a positive integer. The tuple (r, X,x,T,t) satisfies Vi (resp. V2) iff: 

— V\: in r at some time T" < T, in one of its partial sessions whose signature 
does not contain X, an honest agent a generates the value x to assign to the 
unrevealed variable A and at time T, X learns the value x in t steps. 

— 7^2- in r, in one of its partial sessions whose signature does not contain X, an 
honest agent a learns the value x of the unrevealed variable X at time T in 
t steps and at the end of the run r the value x belongs to the knowledge of 
X, i.e. x G IntrKni- Moreover, there is no tuple of the form (r, A', x, T', t') 
satisfying V\ , in other words x is not a value generated by an honest agent 
to assign to an unrevealed variable. 

Lemma 1. A well composed protocol preserves the secrecy of unrevealed vari- 
ables for nonces and short term key variables from the point of view of every 
role iff there does not exist an unrevealed variable X for a nonce or a short term 
key, a value x, a run r with length I, a time T < I and a positive integer t such 
that the tuple (r, A, x, T, t) satisfies V\ V 7- > 2- 

Proof. Firstly assume that there exists an unrevealed variable A for a nonce or 
a short term key, a value x, a run r with length I, a time T < I and a positive 
integer t such that the tuple (r, A, x, T, t) satisfies V\ V Vi. 

If (r, X, x, T, t) satisfies V\ then in r at some time T" < T. in some partial 
session a for a role A, with a signature that does not contain I, an honest agent 



a generates the value x to assign to the unrevealed variable X and at time T,in 
some state S, X learns the value x in t steps. Clearly the secret of variable X can 
be broken from the point of view of role A. Actually in state S, the extension of 
partial session a has a length I and a valuation vi for Ktiaj such that BasKnA,i 
contains X and the set 1Z of roles of the protocol, X does not belong to the 
valuation vi(lZ) and vi(X) £ IntrKng. 

If (r, X, x, T, t) satisfies V2, in the same way let A be the role played by a in 
its partial session. The secret of variable X is broken from the point of view of 
role A. The "if" part of the Lemma is proved. 

Secondly assume that in a well composed protocol, the secret of a variable X 
can be broken from the point of view of a role A. It means there exists a reachable 
state S containing a partial session a of length I' for role A with valuation vi> for 
Kua,i> such that BasKnA.v contains X and the set 1Z of roles of the protocol, 
X does not belong to the valuation vi>(1Z) and vi'(X) £ IntrKns- Let r be a 
run from the initial state of the protocol to state S, let I be its length and let 
x = vi>(X). Since BasKriA,l' contains X it means that at some moment in the 
partial session a the agent a = vy (A) cither generates the value x to assign to 
the variable X (first case) or a learns it (second case). 

In the first case, let T' be the moment when a generates the value x. Since 
vi'(X) £ IntrKns-, there is a time T > T' when the intruder learns x in t steps, 
more precisely, if Si denotes the i-th state of run r, there is a state St such that 
x £ IntrKns T and x $ IntrKns T _ 1 . In this first case the tuple (r, X, x,T, t) 
satisfies V\. 

In the second case, in the partial session a, a has not generated x (may be 
a has generated x in another session) and a has learnt the value x oi X at time 
T < I in t steps. If there exists a tuple (r, X' , x, T", t') satisfying Vi, we are 
done. If not, then the tuple (r,X,x,T,t) satisfies Vi. The "only if" part of the 
Lemma is proved. 

Well composed protocols have an invariant property which is stated below 
not very formally: 

Lemma 2. If in a trace r, at time T\, an honest agent a generates a value x 
to substitute to an unrevealed variable X in a message m that he sends with a 
signature S not including X, then, as long as X does not learn x, x has only 
occurrences in encrypted components r = {S, . . . , x, . . .}k where the term r has 
been encrypted by an honest agent belonging to S and put by this same agent in 
a message m! in which the place where is x inside r is the place of X . 

Proof. The property is true at t±. Let t > t\ and assume X does not know x at t. If 
x is in an encrypted component, this one has been encrypted by an honest agent 
b, in some session otherwise, X knows x. The value x is by recurrence hypothesis 
for b the value of an unrevealed variable A, and then in the component encrypted 
by b to send in a message ml , x is in place of X. 

Proposition 2. In a well composed protocol, there does not exist any tuple sat- 
isfying V 1 W 2 . 



Proof. Suppose there exist tuples (r, X, x, T, t) for which V\ VP2 holds. Consider 
the total strict order relation: (r,X,x,T,t) < (r' , X' , x' , T', t') iff T < V or 
(T = T" and t < t') and take a minimal tuple (r, X, x, T, t) satisfying V\ V TV 
Let us examine the two cases : 

- The tuple (r, X,x,T, t) satisfies V\. 

Let S be the signature not including X of the partial session in which at 
time Ti < T, the honest agent a generates the value x to substitute to the 
unrevealed variable X in a message m. Let r be the concrete term from 
which X learns x at time T in t steps. We consider here the term of the very 
last operation of decryption made by X to learn x. This term r has a value of 
type Cypher and it is of the form {...,x, ...}/c- This term has not been built 
by X in r before, otherwise X would have known x before, and (r, X, x, T, t) 
would not be minimal. So it has been built by an honest agent d, and for this 
reason, due to Lemma [2J it has been built by an honest agent d belonging 
to S and put by this same agent in a message m! in which the place where 
is x inside r is the place of X. Thus the term r is of the form {S, x, ...}*;, 
because the places of the unrevealed variable X cannot be the places of the 
components of S. There are 3 cases for K, : 

1. K, is a long term symmetric key 

2. /C is a public long term key 

3. K, is a short term symmetric key. 

Actually, K. cannot be a private key, because this private key should be 
fc P riv(d) and the component would not be in a unrevealed position. Let's 
go through each of the three cases : 

1. Since d has built the term r, and since the signature inside r does not 
contain X, /C is equal to some /C(c, d) where c is a honest agent. So X 
cannot decrypt r. This first case is not possible. 

2. The key K, cannot be the public key of I, because X is not in the signature 
S. So X cannot decrypt r. This second case is also impossible. 

3. In the partial session s where d builds the term r at time T" < T, cither 
d knows K. or he generates it. In both cases in the message m' sent by d 
which contains r, JC is in place of an unrevealed variable Y, otherwise, 
x itself would be in an unrevealed place. Thus the secret is broken from 
the point of view of the role played by d in this partial session s and for 
the variable Y in the place of K. in the term t inside the message m! . 
As for JC there are two possibilities. Either d has generated it or he has 
learnt it at time at most T' in in this session s. In the first case, there 
is a tuple {r,Y,K,T\t') which satisfies V\ with T" < T. In the second 
case there is a tuple (r, F, £, T" , t') which satisfies V 2 with T" < T. It 
contradicts the minimality of (r, X, x, T, t). 

— The tuple (r,X,x,T,t) satisfies TV 

At time T, in t steps an honest agent a in a partial session s whose signature 
S does not contain X learns the value x. Let t be the last encrypted concrete 
term from which a learns x. This term r was contained in a message mi 
received by a at time T or before and x in this message mi is in place 



of an unrevealed variable X. This message which has been accepted by a 
has the form < S, {S, r, ...}k riv ( ai ) > where ai G S or < S, t >. Here 
we use the fact that the protocol has an encryption depth at most two. If 
mi was equal to < S,t >, then we would have r = {.., x, .}iip rit ,(c)> an( i 
x would be in place of a revealed variable. So the message has the form < 
S, {S, t, •••} K pr iv<.aii ^' Moreover the term r has the form {..., x, ...}/£. Let 
us observe that, the number of components of < S, {S, ...,r, ■■■}if prit , (oi) > 
permits to the agent a to identify the index i of the message. For the same 
reason since the term {<S, ...,T, ...}k ^{a-A bas been built by a\ in some 
partial session si, ai has built this term in order to send the message mi, 
and the value of r in the partial session s\ of a\ and in the partial session s 
of a are associated to the same symbolic term of the protocol. Let us come 
back to r = {..., x, ...}ic- 

If the agent a\ in the partial session s\ builds the term r by encryption 
with K, before sending the message mi, it means that in this session s\ at 
this moment, x is known by a±. So in this session si, x is learnt by a\ at 
a time T' < T in t' steps. Indeed, x is not generated by a\ at least in 
this session because for a\, in this session, x is the value of X which is 
unrevealed, which would contradict the fact that (r,X,x,T,t) satisfies V2- 
Thus replacing a by a\ we get a tuple (r, X, x, T',t') satisfying V2 which 
contradicts the minimality of (r, X, x, T, t). So the agent a\ in the partial 
session s\ does not build the term r by encryption with K, before sending 
the message mi. It means that this term r has been obtained from a previous 
message 7712 that the agent a\ received in its partial session s\. Thus we can 
iterate our reasoning for a± instead of a, but only a finite number of times 
because the run r is finite. Thus we get in any case a contradiction. 

So we've proved that there cannot exist any tuple satisfying V\ V 7^2 > which by 
induction, proves Proposition [2l 



Theorem [T] is a direct consequence of Lemma [T] and Proposition [21 
A well composed version of TMN protocol would be: 
Example 2. . 

01 - A -> S : S, {S, B, {5, Ka}K pub( s)} Kpr UA) 

02 - S -> B : S,{S,B 2 1 A} K . (s) 

03 - B S : 5, L5,B 2 , A, {5> I ^b}x^ lk (s)}^(B) 

04 - S -> A : 5, {5, B 5 , {5, 

(5™ means a sequence of n B) 

The previous attack fails at the first step because the intruder cannot imperson- 
ate the agent a for role A in the first message of the protocol. There are other 
attacks on this protocol which use the algebraic properties of the XOR algorithm 
used for encryption, but it is out of the scope of our framework. 

Remark. As noticed by M. Abadi in [Aba99] . authenticity is dual to secrecy 
in the sense that authenticity concerns the source of the messages while secrecy 



concerns their destination. Nevertheless, it seems that it is hard to ensure se- 
crecy without some phase of authentication. If we look at attacks that breach the 
secrecy without using specific algebraic properties of the encryption algorithms, 
very often the intruder exploits some weakness of the protocol with respect to 
authentication. 

4 An algorithm for securing protocols 

In this section we describe a very simple algorithm A which transforms a protocol 
P into a protocol P' = A(P) which is secure w.r.t. secrecy and such that P' 
preserves the "intended goal" of P for a large class C of protocols. Surely, we 
have to define what means "to preserve the intended goal". We first describe 
the class C, secondly wc give the algorithm A which can be applied to every 
protocol in the class C, then we define an equivalence relation over the set of 
protocols in C. Finally we prove that for every protocol P in C the protocol 
A(P) is equivalent to P and is well composed, so, A{P) is secure w.r.t. secrecy. 

4.1 The class C and the algorithm A, 

Definition 3. A protocol is in C if it satisfies the following conditions: 

— Encryption is of depth at most two. 

— If in a template message (A, B, r) there is a subterm of t with an encryption 
depth equal to two, then r 1 = {t"}k riv (A) ■ 

— Private long term asymmetric and long term symmetric keys are never trans- 
mitted. 

A lot of protocols belong to the class C : ISO/IEC 11770-3 Key Transport Mech- 
anisms (1,2,3,4,5,6), Helsinki Protocol, TMN with public key protocol, Blake- 
Wilson-Menezes Secure Key Transport Protocol, Needham-Schroeder Public Key 
Protocol X.509 one-pass, two-pass, three-pass authentication, . . . 
The algorithm A is the following : 

1. Introduce a new variable N for a session nonce, and define a signature S =< 
N, Ri , i?2 , ■ ■ • , Rk > where R\ , i?2 , • • ■ , Rk are the roles of the protocol P. 

2. Transform the content m of each template message (A, B, m) according to 
the type of m : 

* If m is a tuple of n elements (n > 1) and none of them is encrypted by 

K P riv{A), replace m with {m} KpHv ( A )- 

* If m =< ti,...,t„ > (n > 1) and at least one of the 73 is encrypted by 

Kp r i V (A), replace m with {m'} K riv (A) where m' is the term we get, 
replacing each term Tj = {t^}k riv (A) with t[. In other terms, the en- 
cryption with K pr i V (A) is done over the tuple instead of some of its 
elements. 

3. Replace in each template message, each subterm of the form {t}k by the 
subterm {< S,t >}k- Notice that, by associativity we have < S, t >=< 
N,Rx,R 2 ,...,R k ,T > 



4. Replace each content m with < S,m >. 

5. If several terms of the protocol encrypted by the same type of key namely 
long term public type, long term private type, long term symmetric type or 
short term symmetric type have the same number of elements, add inside 
the term, after the signature, occurrences of the last role in order to get 
different numbers of elements for all the encrypted terms of the same type. 

The well composed protocol of Example 2 is obtained applying this algorithm 
to Example 1. 

We now prove that the protocol P' one obtains applying the algorithm A to 
a protocol P e C is in some sense equivalent to P, i.e. the new knowledge of 
each role is essentially the same as before, at least from the point of view of the 
nonces and the session keys appearing in the protocol P. 

Definition 4. Let P be a protocol in the class C and P' = A(P). The pro- 
tocol P' is said weakly equivalent to P if for each role Ri for each step j , 
BasKn Ri , j (P') = BasKn RzJ (P) U {i?i, R n } U {n} and CrKn Ruj (P') = 
cr(CrKriR u j(P)) where the cr({r}fc) = {< S,t >}k for every term t. (Notice 
that terms of CrKn Ri j have an encryption depth equal to 1 for protocols in the 
class C ). 

In other terms, at every step, the basic knowledge is only increased by the set 
of roles and the nonce which is added, and the encrypted knowledge is the same 
except that the signature in inserted in the encrypted term. 

Theorem 2. Let P be a protocol in the class C and P' = A(P). The protocol 
P' is weakly equivalent to P and is well composed. 

Proof. Recall that for every role A, Kn A j(P) = {Bj} U Anal A ({Tj} U Kuaj-i) 
for role A if the j-th template message of his partial session is (A, Bj , Tj ) or 
{Bj,A,rA. 

Let (A,Bj,< S,{S,T<} Kfrtv[A) >) resp. {B h A,< S, {S, rfi KvTiv{Bj) >) be 
the corresponding message in P' . We have 

Kn Aij (P') - {Bj} U Anal* A (< S, {S ^ Kpr . v{A) >) U 1^-1 (P')> 

where r' is obtained from r essentially by adding the signature in every 
encrypted term. So by induction on j, 

Kn A:J (P') = BasKn A ,j(P) U {Ri, R n } U {N} U a(CrKn A:J {P)) 

where S =< N, Ri, ..., R n >■ 

Remark The condition concerning the number of elements inside encrypted 
terms of the same type can be obtained more simply by adding different integers 
inside the encrypted terms which permit to identify them. Proceeding in this 
way, the messages will be shorter. 

5 Conclusion 

We have given a simple sufficient condition to guarantee the secrecy for crypto- 
graphic protocols which use pairing and symmetric and/or asymmetric encryp- 
tion. Secrecy is ensured for an unbounded number of agents, nonces, sessions, 



without assuming any typing of terms. Moreover, for a large class of protocols we 
provide an algorithm which transforms a protocol into a secure one w.r.t. secrecy 
and preserves the " intended goal" of the original protocol. To our knowledge it 
is the first result of this type. 

We have limited our work to protocols of depth at most two, which is rea- 
sonable from a practical point of view. It seems that we could get rid of this 
restriction easily, but the proof would be more technical. A drawback of our 
sufficient condition is that the systematic signature of messages with the private 
key of the sender increases the size of the message. It would be better to replace 
< S, {S,m}x riv (A) > with < S,m, {H(S,m)}x riv (A) > where H is a hash 
function. We propose to extend our study with more primitives, in particular 
with hash functions. 
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